feat(apisix): add Cloudron package

- Implements Apache APISIX packaging for Cloudron platform.
- Includes Dockerfile, CloudronManifest.json, and start.sh.
- Configured to use Cloudron's etcd addon.

🤖 Generated with Gemini CLI
Co-Authored-By: Gemini <noreply@google.com>

CloudronPackages/APISIX/apisix-source/ci/pod/keycloak/kcadm_configure_basic.sh

@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+export PATH=/opt/keycloak/bin:$PATH
+
+kcadm.sh config credentials --server http://127.0.0.1:8080 --realm master --user admin --password admin
+
+# create realm
+kcadm.sh create realms -s realm=basic -s enabled=true
+
+# set realm keys with specific private key, reuse tls cert and key
+PRIVATE_KEY=$(awk 'NF {sub(/\r/, ""); printf "%s\\n", $0}' /opt/keycloak/conf/server.key.pem)
+CERTIFICATE=$(awk 'NF {sub(/\r/, ""); printf "%s\\n", $0}' /opt/keycloak/conf/server.crt.pem)
+kcadm.sh create components -r basic -s name=rsa-apisix -s providerId=rsa \
+    -s providerType=org.keycloak.keys.KeyProvider \
+    -s 'config.priority=["1000"]' \
+    -s 'config.enabled=["true"]' \
+    -s 'config.active=["true"]' \
+    -s "config.privateKey=[\"$PRIVATE_KEY\"]" \
+    -s "config.certificate=[\"$CERTIFICATE\"]" \
+    -s 'config.algorithm=["RS256"]'
+
+# create client apisix
+kcadm.sh create clients \
+    -r basic \
+    -s clientId=apisix \
+    -s enabled=true \
+    -s clientAuthenticatorType=client-secret \
+    -s secret=secret \
+    -s 'redirectUris=["*"]' \
+    -s 'directAccessGrantsEnabled=true'
+
+# add audience to client apisix, so that the access token will contain the client id ("apisix") as audience
+APISIX_CLIENT_UUID=$(kcadm.sh get clients -r basic -q clientId=apisix | jq -r '.[0].id')
+kcadm.sh create clients/$APISIX_CLIENT_UUID/protocol-mappers/models \
+  -r basic \
+  -s protocol=openid-connect \
+  -s name=aud \
+  -s protocolMapper=oidc-audience-mapper \
+  -s 'config."id.token.claim"=false' \
+  -s 'config."access.token.claim"=true' \
+  -s 'config."included.client.audience"=apisix'
+
+# create client apisix
+kcadm.sh create clients \
+    -r basic \
+    -s clientId=apisix \
+    -s enabled=true \
+    -s clientAuthenticatorType=client-secret \
+    -s secret=secret \
+    -s 'redirectUris=["*"]' \
+    -s 'directAccessGrantsEnabled=true'
+
+# create client apisix-no-aud, without client id audience
+# according to Keycloak's default implementation, when unconfigured,
+# only the account is listed as an audience, not the client id
+
+kcadm.sh create clients \
+    -r basic \
+    -s clientId=apisix-no-aud \
+    -s enabled=true \
+    -s clientAuthenticatorType=client-secret \
+    -s secret=secret \
+    -s 'redirectUris=["*"]' \
+    -s 'directAccessGrantsEnabled=true'
+
+# create user jack
+kcadm.sh create users -r basic -s username=jack -s enabled=true
+kcadm.sh set-password -r basic --username jack --new-password jack

CloudronPackages/APISIX/apisix-source/ci/pod/keycloak/kcadm_configure_cas.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -ex
+
+export PATH=/opt/keycloak/bin:$PATH
+
+kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin --password admin
+
+kcadm.sh create realms -s realm=test -s enabled=true
+
+kcadm.sh create users -r test -s username=test -s enabled=true
+kcadm.sh set-password -r test --username test --new-password test
+
+clients=("cas1" "cas2")
+rootUrls=("http://127.0.0.1:1984" "http://127.0.0.2:1984")
+
+for i in ${!clients[@]}; do
+    kcadm.sh create clients -r test -s clientId=${clients[$i]} -s enabled=true \
+        -s protocol=cas -s frontchannelLogout=false -s rootUrl=${rootUrls[$i]} -s 'redirectUris=["/*"]'
+done

CloudronPackages/APISIX/apisix-source/ci/pod/keycloak/kcadm_configure_university.sh

@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+export PATH=/opt/keycloak/bin:$PATH
+
+kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin --password admin
+
+# create realm University
+kcadm.sh create realms -s realm=University -s enabled=true
+
+# create roles `Teacher, Student`
+kcadm.sh create roles -r University -s name=Teacher
+kcadm.sh create roles -r University -s name=Student
+
+# create users `teacher@gmail.com, student@gmail.com`
+kcadm.sh create users -r University -s username=teacher@gmail.com -s enabled=true
+kcadm.sh create users -r University -s username=student@gmail.com -s enabled=true
+
+# set password
+kcadm.sh set-password -r University --username teacher@gmail.com --new-password 123456
+kcadm.sh set-password -r University --username student@gmail.com --new-password 123456
+
+# bind roles to users
+kcadm.sh add-roles -r University --uusername teacher@gmail.com --rolename Teacher
+kcadm.sh add-roles -r University --uusername student@gmail.com --rolename Student
+
+# create client course_management
+kcadm.sh create clients -r University -s clientId=course_management -s enabled=true -s clientAuthenticatorType=client-secret -s secret=d1ec69e9-55d2-4109-a3ea-befa071579d5
+
+client_id=$(kcadm.sh get clients -r University --fields id,clientId 2>/dev/null | jq -r '.[] | select(.clientId=='\"course_management\"') | .id')
+teacher_id=$(kcadm.sh get roles -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"Teacher\"') | .id')
+student_id=$(kcadm.sh get roles -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"Student\"') | .id')
+
+# update client course_management
+kcadm.sh update clients/${client_id} -r University -s protocol=openid-connect -s standardFlowEnabled=true \
+  -s implicitFlowEnabled=true -s directAccessGrantsEnabled=true -s serviceAccountsEnabled=true \
+  -s authorizationServicesEnabled=true -s 'redirectUris=["*"]' -s 'webOrigins=["*"]'
+
+kcadm.sh update clients/${client_id}/authz/resource-server -r University -s allowRemoteResourceManagement=false -s policyEnforcementMode="ENFORCING"
+
+# create authz-resource with name `course_resource`, uri `/course/*`, scope `DELETE, delete, view, GET`
+kcadm.sh create clients/${client_id}/authz/resource-server/resource -r University -s name=course_resource \
+  -s ownerManagedAccess=false -s uris='["/course/*"]' -s scopes='[{"name": "DELETE"},{"name": "view"},{"name": "GET"},{"name": "delete"}]'
+
+course_resource_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/resource -r University --fields _id,name 2>/dev/null | jq -r '.[] | select(.name=='\"course_resource\"') | ._id')
+DELETE_scope_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/scope -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"DELETE\"') | .id')
+delete_scope_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/scope -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"delete\"') | .id')
+GET_scope_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/scope -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"GET\"') | .id')
+view_scope_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/scope -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"view\"') | .id')
+
+# create authz-policy `AllowTeacherPolicy, AllowStudentPolicy`
+kcadm.sh create clients/${client_id}/authz/resource-server/policy/role -r University \
+  -s name="AllowTeacherPolicy" -s logic="POSITIVE" -s decisionStrategy="UNANIMOUS" \
+  -s roles='[{"id": '\"${teacher_id}\"'}]'
+
+kcadm.sh create clients/${client_id}/authz/resource-server/policy/role -r University \
+  -s name="AllowStudentPolicy" -s logic="POSITIVE" -s decisionStrategy="UNANIMOUS" \
+  -s roles='[{"id": '\"${student_id}\"'}]'
+
+allow_teacher_policy_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/policy -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"AllowTeacherPolicy\"') | .id')
+allow_student_policy_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/policy -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"AllowStudentPolicy\"') | .id')
+
+# create authz-permission `Delete Course Permission` and `View Course Permission`
+kcadm.sh create clients/${client_id}/authz/resource-server/permission/scope -r University \
+  -s name="Delete Course Permission" -s logic="POSITIVE" -s decisionStrategy="UNANIMOUS" \
+  -s policies='['\"${allow_teacher_policy_id}\"']' \
+  -s scopes='['\"${DELETE_scope_id}\"', '\"${delete_scope_id}\"']' \
+  -s resources='['\"${course_resource_id}\"']'
+
+kcadm.sh create clients/${client_id}/authz/resource-server/permission/scope -r University \
+  -s name="View Course Permission" -s logic="POSITIVE" -s decisionStrategy="AFFIRMATIVE" \
+  -s policies='['\"${allow_teacher_policy_id}\"', '\"${allow_student_policy_id}\"']' \
+  -s scopes='['\"${GET_scope_id}\"', '\"${view_scope_id}\"']' \
+  -s resources='['\"${course_resource_id}\"']'

CloudronPackages/APISIX/apisix-source/ci/pod/keycloak/server.crt.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUbZfnhty/ZiHPz5Aq8kK5Kr8kcSQwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMzA0MTgxMTQzNDJaFw0zMzA0
+MTUxMTQzNDJaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC/F4wK7eMTVAKGDMLCXE+Y6REdA5GU6/AakJf3NEKQ
+wCrtrqO+VBPIz445+edf3EEXhjFFGPdU6p0EkF0SMLaMsVBQQJ2qcP6FloIYiyT3
+WCs/gbtdoWq53ucAfWueIyHWsovLc0VhOXm0rhTYg88nMjJ7y6vYkfLMT6qlwASn
+9Tozgjat09fWATbN7yBi4ivVVsKDo2S3jkOyVnYYMjzZO3CSkyUSMl+ZsSesseSK
+A9c2zogfKIU833njraA8blMFfdinEMI/9yceEx57IUjnpY1iWHLSItiZF+LKEpeL
+vp9gpr88ghR85ISusqAqwcmnsdAqjjw7gbPm1DIvUgVBAgMBAAGjUzBRMB0GA1Ud
+DgQWBBRvlz5ZiE2fD9ikPRqpYwsVrxZfxTAfBgNVHSMEGDAWgBRvlz5ZiE2fD9ik
+PRqpYwsVrxZfxTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCX
+5fOeFnX67eHI5dJB8p3U2GS21qykDVLV5ZV+JZfZwXJEygIvr/T9vs772EPxv+0/
+TO0+pGdcVswXq/6BoUFCV0rWWTDP5wTS3sV1ZsSSHil5zEutXuAI1LQGlit6w5xn
+iDURFZw3ZmOFytXKXNbca1ma4yaCZtOwVe3O36GZeOiZFzBYE2DELqy77Nz1E5+3
+jZaDnx0vonV8/hhX6FAPRPQnIXkaEH3BnVQZGD1jxipbFQQtmeeNPELy18MQo30N
+W1wOsbMMouniKUjdT16tdtzJzC+l9pVqRC+8df5PJfN56Uv9Ed6pjytkSF1SvHyJ
+iTWmyxJL9AonUkc5Oiri
+-----END CERTIFICATE-----

CloudronPackages/APISIX/apisix-source/ci/pod/keycloak/server.key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC/F4wK7eMTVAKG
+DMLCXE+Y6REdA5GU6/AakJf3NEKQwCrtrqO+VBPIz445+edf3EEXhjFFGPdU6p0E
+kF0SMLaMsVBQQJ2qcP6FloIYiyT3WCs/gbtdoWq53ucAfWueIyHWsovLc0VhOXm0
+rhTYg88nMjJ7y6vYkfLMT6qlwASn9Tozgjat09fWATbN7yBi4ivVVsKDo2S3jkOy
+VnYYMjzZO3CSkyUSMl+ZsSesseSKA9c2zogfKIU833njraA8blMFfdinEMI/9yce
+Ex57IUjnpY1iWHLSItiZF+LKEpeLvp9gpr88ghR85ISusqAqwcmnsdAqjjw7gbPm
+1DIvUgVBAgMBAAECggEBAKUrrkGYI2mGePPzPbiP38E02zTv67sEQLJFfwUOp+bE
+I5b0F9agh8VQGghkyKgkEiNKO3YVQVuluvjB66CYeIGdleT4JQ+4wVcoo+ShCN++
+1wr6kMA6kKx+Tb8vqYCzr0ELbSf6x+Jksp0Ixz3qmHixu88jWbNFW89boQ3JrnyZ
+TUgRSRdPoXcxspwcbhy6mMhwUfUSy8Zcck81dBEAjokvzbYh4jtFYMipWqro66KJ
+B9uqQme2J/rN/2PSrA6chI85Wa+JaGOSPDaGNp+DrADjoVZf1tXgzGCsA/lmVtQ0
+8YN4Dh21EjLxz4Dj5GE7RWET4Ejvv1XEih1p+zKne00CgYEA327raCD5Fnr1nGTb
+Q4ZWkcDR6EGSD6JGD0ur+UqqJhirM/5b4iGcsVK5uufb5dwk9+9z0EucXOVq/il0
+vgG2FbgRYM8kx3CDLvMYAqKJ8e5NsGJWwJVq6DsmsO1SaEId+SVFH83RHfG5/ksq
+/DgRg0Wl9FoL7sHchuSIP2QiLrMCgYEA2vHcKsMZk/KGMBHVffY3PUckirIM6vLa
+idMmm0T0HSAdviZRxQGyOnjd93ZhMqFJPTrmHOq0uAxfdFt+oRoHk/pGarBCv76L
+NnPrSnVe1pJOh7Mm7LHLgrAgeM2WW7xz6jZwc8On+9qHK97I/wAnJB8J7DvQJ2hR
+sWCDSbfKtjsCgYEAnVE77tVIjMuGo9dfiuvLiFR7d0yzys43Bg4ByEUKCEjWQoWV
+rGJ+MVxN6YvXCME4RloS8VZLgh0GeG44BJCv5Br2IXO4MbTGqQgAn9pRxkZD7S1Q
+Z8jMvTboxypSG5ZyBDp5sSr5Ulwg2SuT2IKh0gv4DVRZkoJtA41lYTzf1IECgYBd
+3NJGgt20T4S3lu2v0p5b5uQDkdF36CVIcP1cE3OUCPC3VDY5/0ApUSfXryh8TCjZ
+1yZPv086mBNUDuV6q24UQndtxaLYERgdgBSfFzJRSuffxS4qyw40OM2y/HA5Y9FN
+14jeGEMr9cN9S0VgDPC6y5O1cu8J9e8P3BBsyh5dgQKBgHMlIhOJDO/neVnax79X
+d3+5GaiggUnkd27OkYC4LhXEc/QWeHE0ByA0bDhhnsE7IVK2CVC18axOLmEJVy2g
+F6ZtxcpNrlVtF4YaOiRVUcDNnz9gX48efrpdoX2iBSFEd1NRDo/bjkVXI1L08LNf
+BbMB104PadChoGpl5R3NQQsP
+-----END PRIVATE KEY-----